Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI announcement in February, it seems patching SQL Server wasn’t the issue, that these were all SQL injections against either custom code or possibly a library that all the victims were using. (Pointers appreciated.)

Will the number of breaches reported by retailers fall by more than 10% in the next six months? (Bets appreciated.)